├── README.md
├── images
    ├── suricata00.png
    ├── suricata01.png
    └── suricata02.png
└── vagrant
    ├── Vagrantfile
    ├── common.sh
    ├── elastic.sh
    ├── elasticsearch.sh
    ├── filebeat.sh
    ├── kibana-dev.sh
    ├── kibana.sh
    ├── suricata.sh
    ├── wazuh-agent.sh
    ├── wazuh-api.sh
    ├── wazuh-manager.sh
    └── wazuh.sh


/README.md:
--------------------------------------------------------------------------------
 1 | # c2matrix-analyzer
 2 | 
 3 | Basic c2-matrix analysis enviroment using Suricata + Wazuh + Elastic stack 
 4 | 
 5 | 
 6 | - The agent VM has Suricata configured to use the Emerging Threats Open Rules.
 7 | - Suricata alerts are collected by Wazuh's agent and sent to Wazuh's manager. 
 8 | - Wazuh Manager sends alerts to Elasticsearch and can be viewed in Kibana in both the Discover section and the Wazuh plugin.
 9 | 
10 | ![Analysis00](https://github.com/eortizbrossard/c2matrix-evaluation/blob/master/images/suricata00.png)
11 | 
12 | ![Analysis01](https://github.com/eortizbrossard/c2matrix-evaluation/blob/master/images/suricata01.png)
13 | 
14 | ![Analysis02](https://github.com/eortizbrossard/c2matrix-evaluation/blob/master/images/suricata02.png)
15 | 
16 | Requirements:
17 | - Virtualbox
18 | - Vagrant
19 | 
20 | Enviroment:
21 | 1. master: Manager Wazuh all in one + Elasticsearch + Kibana
22 | OS: Centos7
23 | Kibana port 5601 is attached to the local host: 5601
24 | 
25 | 2. agent:  Agent Wazuh + Suricata + ET Open
26 | OS: Centos7
27 | 
28 | 3. c2server:
29 | OS: Kali / Debian / Centos7  # Choose one by changing in Vagrantfile
30 | 
31 | # Instructions:
32 | For deployment, do the following:
33 | 
34 | Extract all files in a directory, and launches the commands from this directory
35 | 
36 | To deploy the entire environment:
37 | ```
38 | $ vagrant up
39 | ``` 
40 | Deploy a vm:
41 | ```
42 | $ vagrant up [VM_NAME]
43 | ```
44 | Destroy the whole enviroment:
45 | ```
46 | $ vagrant destroy  
47 | ```
48 | Destroy a vm:
49 | ```
50 | $ vagrant destroy [VM_NAME]
51 | ```
52 | Access Kibana:
53 | ```
54 | http://localhost:5601 
55 | ```
56 | Aacces to a vm:
57 | ```
58 | $ vagrant ssh [VM_NAME]
59 | ```
60 | Network: 
61 | - master_ip = "192.168.76.2"
62 | - agent_ip = "192.168.76.20"
63 | - c2server_ip = "192.168.76.30"
64 | 
65 | # References:
66 | ```
67 | - Red Team Kali Package. Inside it has instructions for installing various C2 programs (It may apply to Debian).
68 | https://bugs.kali.org/view.php?id=6093
69 | 
70 | - C2 Matrix:
71 | https://howto.thec2matrix.com/
72 | https://docs.google.com/spreadsheets/d/1b4mUxa6cDQuTV2BPC6aA-GR4zGZi0ooPYtBe4IgPsSc/edit#gid=0
73 | 
74 | - Suricata
75 | https://suricata-ids.org/
76 | 
77 | - Emergint Threat s
78 | https://rules.emergingthreats.net/
79 | 
80 | - Wazuh
81 | https://github.com/wazuh/wazuh
82 | 
83 | - Elastic
84 | https://github.com/elastic
85 | ```
86 | 


--------------------------------------------------------------------------------
/images/suricata00.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/h0rv4th/c2matrix-analyzer/79042fdd0f8d00a500628811036cea6bab4d0e18/images/suricata00.png


--------------------------------------------------------------------------------
/images/suricata01.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/h0rv4th/c2matrix-analyzer/79042fdd0f8d00a500628811036cea6bab4d0e18/images/suricata01.png


--------------------------------------------------------------------------------
/images/suricata02.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/h0rv4th/c2matrix-analyzer/79042fdd0f8d00a500628811036cea6bab4d0e18/images/suricata02.png


--------------------------------------------------------------------------------
/vagrant/Vagrantfile:
--------------------------------------------------------------------------------
 1 | # -*- mode: ruby -*-
 2 | # vi: set ft=ruby :
 3 | master_ip = "192.168.76.2"
 4 | agent_ip = "192.168.76.20"
 5 | c2server_ip = "192.168.76.30"
 6 | wazuh_version = "3.10.0"
 7 | wazuh_branch = "3.10"
 8 | elastic_version = "7.3.2"
 9 | 
10 | Vagrant.configure("2") do |config|
11 |   # All-in-one instance
12 |   config.vm.define "master" do |master|
13 |     master.vm.box = "centos/7"
14 |     master.vm.provision :shell, path: "elastic.sh"
15 |     master.vm.provision :shell, path: "wazuh.sh"
16 |     master.vm.provision :shell, path: "common.sh"
17 |     master.vm.provision :shell, path: "wazuh-manager.sh", args: "#{wazuh_version} #{master_ip} 'master'"
18 |     master.vm.provision :shell, path: "wazuh-api.sh", args: "#{wazuh_version}"
19 |     master.vm.provision :shell, path: "filebeat.sh", args: "#{elastic_version} #{master_ip} #{wazuh_version}"
20 |     master.vm.provision :shell, path: "elasticsearch.sh", args: "#{elastic_version} #{master_ip} #{wazuh_branch}"
21 |     master.vm.provision :shell, path: "kibana.sh", args: "#{elastic_version} #{master_ip} #{wazuh_version}"
22 |     master.vm.provision :shell, path: "suricata.sh", args: "#{wazuh_version} #{master_ip} 'master'"
23 | 	    master.vm.network :private_network, ip: "#{master_ip}"
24 |         master.vm.network "forwarded_port", guest: 5601, host: 5601
25 |     master.vm.provider "virtualbox" do |pmv|
26 | #      pmv.memory = 4096
27 |       pmv.memory = 2048
28 |       pmv.cpus = 2
29 |       pmv.linked_clone=true
30 |     end
31 |     master.vm.hostname = "master"
32 |   end
33 | 
34 |   # Agent instance
35 |   config.vm.define "agent" do |agent|
36 |     agent.vm.box = "centos/7"
37 |     agent.vm.provision :shell, path: "wazuh.sh"
38 |     agent.vm.provision :shell, path: "common.sh"
39 |     agent.vm.provision :shell, path: "wazuh-agent.sh", args: "#{wazuh_version} #{master_ip}"
40 |     agent.vm.provision :shell, path: "suricata.sh", args: "#{wazuh_version} #{master_ip} 'agent'"
41 |     agent.vm.network :private_network, ip: "#{agent_ip}"
42 |     agent.vm.provider "virtualbox" do |pmv|
43 |       pmv.memory = 512
44 |       pmv.cpus = 1
45 |       pmv.linked_clone=true
46 |     end
47 |     agent.vm.hostname = "agent"
48 |   end
49 | 
50 |     # C2server instance
51 |   config.vm.define "c2server" do |c2server|
52 |     # Choose the OS
53 |     #c2server.vm.box = "kalilinux/rolling"
54 |     #c2server.vm.box = "debian/buster64"
55 |     c2server.vm.box = "centos/7"
56 |     c2server.vm.network :private_network, ip: "#{c2server_ip}"
57 |     c2server.vm.provider "virtualbox" do |pmv|
58 |       pmv.memory = 4096
59 |       pmv.cpus = 1
60 |       pmv.linked_clone=true
61 |     end
62 |     c2server.vm.hostname = "c2server"
63 |   end
64 | end
65 | 


--------------------------------------------------------------------------------
/vagrant/common.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | 
3 | # Remove firewalld
4 | yum remove firewalld -y -q
5 | 
6 | # Install net-tools, git, zip, ntp
7 | yum install net-tools git zip ntp -y -q || true
8 | ntpdate -s time.nist.gov || true
9 | 


--------------------------------------------------------------------------------
/vagrant/elastic.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
 3 | 
 4 | cat > /etc/yum.repos.d/elastic.repo << EOF
 5 | [elasticsearch-7.x]
 6 | name=Elasticsearch repository for 7.x packages
 7 | baseurl=https://artifacts.elastic.co/packages/7.x/yum
 8 | gpgcheck=1
 9 | gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
10 | enabled=1
11 | autorefresh=1
12 | type=rpm-md
13 | EOF


--------------------------------------------------------------------------------
/vagrant/elasticsearch.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | elastic_version=$1
 3 | elastic_host=$2
 4 | wazuh_version=$3
 5 | 
 6 | # Install Elasticsearch
 7 | yum install elasticsearch-$elastic_version -y -q
 8 | 
 9 | # Enable Elasticsearch services
10 | systemctl daemon-reload
11 | systemctl enable elasticsearch
12 | 
13 | # Configure Elasticsearch master node
14 | cat > /etc/elasticsearch/elasticsearch.yml << EOF
15 | cluster.name: "my-cluster"
16 | node.name: "es-node-1"
17 | node.master: true
18 | path.data: /var/lib/elasticsearch
19 | path.logs: /var/log/elasticsearch
20 | cluster.initial_master_nodes: 
21 |   - "es-node-1"
22 | EOF
23 | 
24 | echo "network.host: $elastic_host" >> /etc/elasticsearch/elasticsearch.yml
25 | 
26 | # Correct owner for Elasticsearch directories
27 | chown elasticsearch:elasticsearch -R /etc/elasticsearch
28 | chown elasticsearch:elasticsearch -R /usr/share/elasticsearch
29 | chown elasticsearch:elasticsearch -R /var/lib/elasticsearch
30 | 
31 | # Run Elasticsearch
32 | systemctl restart elasticsearch


--------------------------------------------------------------------------------
/vagrant/filebeat.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | elastic_version=$1
 3 | elastic_host=$2
 4 | wazuh_version=$3
 5 | 
 6 | # Install Filebeat
 7 | yum install filebeat-$elastic_version -y -q
 8 | 
 9 | # Enable services
10 | systemctl daemon-reload
11 | systemctl enable filebeat
12 | 
13 | # Filebeat configuration
14 | curl -so /etc/filebeat/filebeat.yml "https://raw.githubusercontent.com/wazuh/wazuh/v$wazuh_version/extensions/filebeat/7.x/filebeat.yml"
15 | curl -so /etc/filebeat/wazuh-template.json "https://raw.githubusercontent.com/wazuh/wazuh/v$wazuh_version/extensions/elasticsearch/7.x/wazuh-template.json"
16 | curl -s https://packages.wazuh.com/3.x/filebeat/wazuh-filebeat-0.1.tar.gz | sudo tar -xvz -C /usr/share/filebeat/module
17 | 
18 | # File permissions
19 | chmod go-w /etc/filebeat/filebeat.yml
20 | chmod go-w /etc/filebeat/wazuh-template.json
21 | 
22 | sed -i "s:YOUR_ELASTIC_SERVER_IP:$elastic_host:g" /etc/filebeat/filebeat.yml
23 | ## Configuring ILM (WS-245):
24 | sed '''s/  "settings": {\n    "index.refresh_interval": "5s",/  "settings": {\n    "index.lifecycle.name": "DeleteAfterOneYearRentention",\n    "index.lifecycle.rollover_alias": "wazuh",\n    "index.refresh_interval": "5s",/g''' /etc/filebeat/wazuh-template.json -i
25 | 
26 | sed -i "s/setup.ilm.enabled: false/setup.ilm.enabled: true/g" /etc/filebeat/filebeat.yml 
27 | echo '''setup.ilm.policy_name: 'DeleteAfterOneYearRentention'
28 | setup.ilm.policy_file: '/etc/filebeat/policy.json'
29 | output.elasticsearch.ilm.enabled: true
30 | output.elasticsearch.ilm.rollover_alias: "wazuh"
31 | output.elasticsearch.ilm.pattern: "{now/d}-000001"
32 | ''' >> /etc/filebeat/filebeat.yml
33 | 
34 | echo '''{"policy": {"phases": {"hot": {"actions": {"rollover": {"max_age": "30d","max_size": "50gb"},"set_priority": {"priority": 100}}},"warm": {"actions": {"set_priority": {"priority": 50}}},"cold": {"min_age": "120d","actions": {"set_priority": {"priority": 0}}},"delete": {"min_age": "365d","actions": {"delete": {}}}}}}'''>> /etc/filebeat/policy.json
35 | chown root:root /etc/filebeat/filebeat.yml 
36 | 
37 | filebeat setup --index-management -E setup.template.json.enabled=false
38 | 
39 | # Run Filebeat
40 | systemctl restart filebeat
41 | 


--------------------------------------------------------------------------------
/vagrant/kibana-dev.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | elastic_version=$1
 3 | elastic_host=$2
 4 | 
 5 | # Install Node.js
 6 | curl --silent --location https://rpm.nodesource.com/setup_8.x | bash - > /dev/null
 7 | yum install nodejs -y 
 8 | 
 9 | # Clone Kibana tag
10 | git clone https://github.com/elastic/kibana -b "v$elastic_version" --single-branch --depth=1 
11 | 
12 | # Install n, yarn and Node.js version desired by Kibana
13 | npm install -g n
14 | npm install -g yarn@1.10.1
15 | n "$(cat /home/vagrant/kibana/.nvmrc)"
16 | yes | mv /usr/local/bin/node /usr/bin/
17 | yes | mv /usr/local/bin/npm /usr/bin/
18 | 
19 | 
20 | # Build Kibana modules
21 | cd /home/vagrant/kibana && yarn kbn bootstrap
22 | 
23 | # Correct owner for Kibana directories
24 | chown -R vagrant:vagrant /home/vagrant/kibana
25 | 
26 | # Increasing the amount of inotify watchers
27 | echo fs.inotify.max_user_watches=524288 | sudo tee -a /etc/sysctl.conf && sudo sysctl -p
28 | 
29 | echo "Usage:"
30 | echo "  yarn start --oss --no-base-path --server.host=\"0.0.0.0\" --elasticsearch.hosts=\"http://$elastic_host:9200\""
31 | echo "Note: place your pluging under /home/vagrant/kibana/plugins/<your_plugin>/"


--------------------------------------------------------------------------------
/vagrant/kibana.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | elastic_version=$1
 3 | elastic_host=$2
 4 | wazuh_version=$3
 5 | app=$wazuh_version"_"$elastic_version
 6 | 
 7 | # Install Kibana
 8 | yum install kibana-"$elastic_version" -y -q
 9 | 
10 | # Enable Kibana service
11 | systemctl daemon-reload
12 | systemctl enable kibana
13 | 
14 | # Kibana configuration
15 | sed -i 's:\#server.host\: "localhost":server\.host\: "0.0.0.0":g' /etc/kibana/kibana.yml
16 | 
17 | # Elasticsearch hosts
18 | sed -i 's:#elasticsearch.hosts:elasticsearch.hosts:g' /etc/kibana/kibana.yml
19 | sed -i "s#http://localhost:9200#http://$elastic_host:9200#g" /etc/kibana/kibana.yml
20 | 
21 | chown -R kibana:kibana /usr/share/kibana/optimize
22 | chown -R kibana:kibana /usr/share/kibana/plugins
23 | 
24 | # Install the Wazuh app
25 | sudo -u kibana /usr/share/kibana/bin/kibana-plugin install https://packages.wazuh.com/wazuhapp/wazuhapp-$app.zip
26 | 
27 | # Set .wazuh, .wazuh-version and wazuh-monitoring index shards and index replicas
28 | sed -i 's/#wazuh.replicas.*: 1/wazuh.replicas: 0/g' /usr/share/kibana/plugins/wazuh/config.yml
29 | sed -i 's/#wazuh-version.replicas.*: 1/wazuh-version.replicas: 0/g' /usr/share/kibana/plugins/wazuh/config.yml
30 | sed -i 's/#wazuh.monitoring.shards.*: 5/wazuh.monitoring.shards: 1/g' /usr/share/kibana/plugins/wazuh/config.yml
31 | sed -i 's/#wazuh.monitoring.replicas.*: 1/wazuh.monitoring.replicas: 0/g' /usr/share/kibana/plugins/wazuh/config.yml
32 | 
33 | chown -R kibana:kibana /usr/share/kibana/optimize
34 | chown -R kibana:kibana /usr/share/kibana/plugins
35 | 
36 | # Run Kibana
37 | systemctl restart kibana
38 | 


--------------------------------------------------------------------------------
/vagrant/suricata.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | wazuh_version=$1
 3 | manager_ip=$2
 4 | node_type=$3
 5 | 
 6 | #Add suricata to agent.conf on Master
 7 | if [[ $node_type == "master" ]]
 8 | 
 9 | then
10 | 
11 | echo '''<agent_config>
12 |     <localfile>
13 |         <log_format>json</log_format>
14 |         <location>/var/log/suricata/eve.json</location>
15 |     </localfile>
16 | </agent_config>
17 | ''' >> /var/ossec/etc/shared/default/agent.conf
18 | 
19 | #Install Suricata on Agent
20 | else
21 | cd /root
22 | wait
23 | yum -y install epel-release wget jq
24 | wait
25 | curl -O https://copr.fedorainfracloud.org/coprs/jasonish/suricata-stable/repo/epel-7/jasonish-suricata-stable-epel-7.repo
26 | wait
27 | yum -y install suricata
28 | wait
29 | wget https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz
30 | wait
31 | tar zxvf emerging.rules.tar.gz
32 | wait
33 | rm /etc/suricata/rules/* -f
34 | wait
35 | mv rules/*.rules /etc/suricata/rules/
36 | wait
37 | rm -f /etc/suricata/suricata.yaml
38 | wait
39 | wget -O /etc/suricata/suricata.yaml http://www.branchnetconsulting.com/wazuh/suricata.yaml
40 | wait
41 | 
42 | # Run Wazuh manager and Wazuh API
43 | systemctl daemon-reload
44 | systemctl enable suricata
45 | systemctl start suricata
46 | 
47 | # Run Wazuh manager and Wazuh API
48 | systemctl restart wazuh-agent
49 | fi
50 | 


--------------------------------------------------------------------------------
/vagrant/wazuh-agent.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | wazuh_version=$1
 3 | manager_ip=$2
 4 | 
 5 | # Install Wazuh agent
 6 | yum install wazuh-agent-"$wazuh_version" -y -q
 7 | 
 8 | # Register agent using authd
 9 | /var/ossec/bin/agent-auth -m "$manager_ip"
10 | sed -i "s:MANAGER_IP:$manager_ip:g" /var/ossec/etc/ossec.conf
11 | 
12 | # Enable and restart the Wazuh agent
13 | systemctl daemon-reload
14 | systemctl enable wazuh-agent
15 | systemctl restart wazuh-agent
16 | 


--------------------------------------------------------------------------------
/vagrant/wazuh-api.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | wazuh_version=$1
 3 | installation_type=$2
 4 | branch=$3
 5 | 
 6 | # Install Node.js
 7 | curl --silent --location https://rpm.nodesource.com/setup_8.x | bash - > /dev/null
 8 | yum install nodejs -y
 9 | npm config set user 0
10 | 
11 | if [[ $installation_type == "sources" ]]
12 | then
13 |   curl -Ls https://github.com/wazuh/wazuh-api/archive/$branch.tar.gz | tar zx
14 |   cd wazuh-api* || echo "wazuh-api* directory not found" && exit
15 |   echo 'REINSTALL=y' > configuration/preloaded_vars.conf
16 |   bash ./install_api.sh
17 | else
18 |   # Install Wazuh API
19 |   yum install wazuh-api-"$wazuh_version" -y -q
20 | fi
21 | 
22 | # Enable service
23 | systemctl daemon-reload
24 | systemctl enable wazuh-api
25 | 
26 | # Run Wazuh API
27 | systemctl restart wazuh-api
28 | 


--------------------------------------------------------------------------------
/vagrant/wazuh-manager.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | wazuh_version=$1
 3 | manager_ip=$2
 4 | node_type=$3
 5 | 
 6 | # Install Wazuh manager
 7 | yum install wazuh-manager-"$wazuh_version" -y -q
 8 | 
 9 | if [[ $node_type == "master" ]]
10 | then
11 |     # Configure Wazuh master node
12 |     sed -i 's:<key></key>:<key>9d273b53510fef702b54a92e9cffc82e</key>:g' /var/ossec/etc/ossec.conf
13 |     sed -i "s:<node>NODE_IP</node>:<node>$manager_ip</node>:g" /var/ossec/etc/ossec.conf
14 |     sed -i -e '/<cluster>/,/<\/cluster>/ s|<disabled>[a-z]\+</disabled>|<disabled>no</disabled>|g' /var/ossec/etc/ossec.conf
15 |     
16 | else
17 |     # Configure Wazuh worker node
18 |     sed -i 's:<node_name>node01</node_name>:<node_name>node02</node_name>:g' /var/ossec/etc/ossec.conf
19 |     sed -i 's:<key></key>:<key>9d273b53510fef702b54a92e9cffc82e</key>:g' /var/ossec/etc/ossec.conf
20 |     sed -i "s:<node>NODE_IP</node>:<node>$manager_ip</node>:g" /var/ossec/etc/ossec.conf
21 |     sed -i 's:<node_type>master</node_type>:<node_type>worker</node_type>:g' /var/ossec/etc/ossec.conf
22 |     sed -i -e '/<cluster>/,/<\/cluster>/ s|<disabled>[a-z]\+</disabled>|<disabled>no</disabled>|g' /var/ossec/etc/ossec.conf
23 | fi
24 | 
25 | # Enable Wazuh services
26 | systemctl daemon-reload
27 | systemctl enable wazuh-manager
28 | 
29 | # Run Wazuh manager and Wazuh API
30 | systemctl restart wazuh-manager
31 | 


--------------------------------------------------------------------------------
/vagrant/wazuh.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | cat > /etc/yum.repos.d/wazuh.repo <<\EOF
 3 | [wazuh_repo]
 4 | gpgcheck=1
 5 | gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
 6 | enabled=1
 7 | name=Wazuh repository
 8 | baseurl=https://packages.wazuh.com/3.x/yum/
 9 | protect=1
10 | EOF


--------------------------------------------------------------------------------